System Admin hangs when bulk modifying access levels

Symptom

System Admin hangs when bulk modifying access levels.

From the application and system event logs, it is found that the DCOM permission is not enabled for the user. 

DCOM error with event ID: 10016 is reported in WER.

Resolution

Enable the DCOM permission to the user. Below are the steps to resolve the error:

The Distributed Component Object Model (DCOM) is an integral aspect of networked communication on Windows computers. It is a proprietary Microsoft technology which whirs into action every time an application makes a connection to the internet. 

A traditional COM can only access information on the same machine, whereas DCOM can access data on remote servers.

A DCOM error usually occurs when an application or service attempts to use DCOM but does not have the proper permissions.

Two methods to fix this error. Method 1 is an easy method. Method 2 is slightly lengthy. Provided both methods below:

Method -1 : Edit the Windows Registry to Fix DCOM Error 10016

Before editing the registry, I recommend taking a backup. To do the same Type registry in your Start Menu search bar and select the Best Match. Head to File > Export, set the Export Range to All, then Save the Windows Registry to a handy location. This backup can be used to restore from in the event of an unexpected error after applying the fix.

Below are the steps to fix DCOM error 10016:

1.    Type regedit.exe in run command window and click enter. (Launch registry editor)

2.    Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole. You can copy and paste the address into the Registry Editor address bar.

3.    Delete the following four registry keys:

DefaultAccessPermission

DefaultLaunchPermission

MachineAccessRestriction

MachineLaunchRestriction

4.    Close the Windows Registry Editor, then reboot your system.

System should remain DCOM Error 10016 free from now on.

Method-2: Enable DCOM Permissions for Specific Error

If Method-1 doesn't work, here is a substantially longer workaround that can be followed. However, if we have several individual applications all providing DCOM errors, the following process will take some time as you have to repeat the majority of it for each error.

The DCOM Error 10016 error message in the Event Viewer contains information regarding the specific application or process creating the issue


1.    In the event viewer, head to Windows Logs > System and locate the most recent DCOM Error 10016. Double-click the error message to expand it.

2.    The General tab explains the reason for 10016 error, listing the CLSID (Class ID) and APPID (Application ID). The CLSID and APPID character strings look random. However, we can use them to identify which application or service is the route of the 10016 error.

3.    Locate CLSID and APPID in the Registry Editor

a.    Here's how we can locate the application / service in the Registry Editor.

b.    First, highlight the CLSID in the Event Viewer, then press CTRL + C to copy. Then, open the Registry Editor. Search the registry for the following:

                HKEY_CLASSES_ROOT\CLSID\{Paste Your CLSID Here}

     For example: It looks like HKEY_CLASSES_ROOT\CLSID\{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}.

Remember, we can copy and paste the address into the Registry Editor address bar. Once the CLSID search finishes, we can cross-reference the APPID from the error message with the AppID listed under the CLSID.

In our case, the DCOM Error 10016 should stem from the SystemAdministrator.exe / LSLServer.exe

4.    Edit the CLSID Permissions

In the left-hand list of registry entries, right-click the CLSID relating to the error, then select Permission > Advanced. From here, we can edit the Permissions of the service / application.

Highlight Administrators and select Edit. Switch the Basic Permissions to include Full Control, then hit OK > Apply > OK.

5.    Now, restart your system.

Once the restart completes, input dcomcnfg.exe run command bar. Head to Computers > My Computer > DCOM Config.

We can see a long list of applications/services that uses DCOM in some   manner. Locate the application / service using the name and APPID, right-click and select Properties > Security.

Under Launch and Activation Permissions, select Edit > Add > Add an User name for whom the DCOM permission is required > Apply. Now, tick all the options in “Permissions for user” box, hit OK, 

Reboot the system again. All done, the process is complete.

Applies To:

All machines which are using OnGuard (All versions) in distributed environments.

Additional Information


Copyright © 2022 Carrier. All rights reserved.